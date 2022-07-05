The fake boleto scam has grown in recent years — and reinvented itself — warn cybersecurity experts. According to Febraban (Brazilian Federation of Banks), in 2021 there was a 45% increase in crimes of this type compared to 2020.

One of the facilitators for the growth of the practice is the regularity of large data leaks in Brazil. When fraudsters have access to a lot of specific information about citizens, it becomes easier to create boletos with data very close to the victims’ reality.

To give you an idea, information such as salary, credit score (consulted by stores when consumers shop), bad checks, license plates and even the type of fuel used have already been leaked. Personal data and traces of our digital life have become a gold mine (especially for criminals).

Check out below a definitive guide with everything you need to know to reduce the chances of falling for the fake boleto scam.

How does the scam work?

Last year, after a megaleak data, the digital influencer nath Finance, known for creating financial education content, almost fell victim to this crime. She received an email identical to the one from the company that provides her with internet service, with the supposed duplicate of the bank slip.

And that’s how scammers tend to act. They use the name of real companies in the market to try to trick potential victims.

I just received an identical email from NET with my details saying that I stopped paying the internet bill Sent a duplicate ticket I never stopped paying the internet, I entered the app to confirm and the invoice was paid Yeah… the blows have already started… — Nath Finance (@nathfinancas) February 22, 2021

The most common strategy is to send telephony and internet service slips — and other recurring payments —, similar to the original, through emailinstant messaging applications, SMS or social networks.

coup evolution

In addition to the above, there are more professional approaches these days. “The fraudster can create a false web address, even buy ads on search engines such as Google Ads, in order to impersonate a legitimate website of a company or agency”, says Camilla Jimene, executive president and partner of office oice BlumBruno and Vainzof Associated lawyers.

In these cases, when accessing a website thinking it is a safe path, the consumer will be downloading a fake boleto. In some situations, he will be directed to a WhatsApp conversation, in which the fraudster will try to persuade and obtain information for the issuance of a fake boleto.

There is still a third way to practice this move. Criminals use the CPF (Cadastro de Pessoas Físicas) of citizens to identify debts and offer false negotiations through means such as WhatsApp or email.

How to know that a ticket is fake?

First, it is necessary to understand how the technological architecture of a fake document works. angelo zaninicoordinator of the Computer Science course at Instituto Mauá de Tecnologia (IMT), explains:

When a reputable company issues a slip, this document is registered at the Interbank Payment Chamber (CIP), with the beneficiary’s information, such as name, CNPJ or CPF, address, value, among other information that appears on the slip. From this record, a bar code is generated.

The fraud consists of registering the boleto in the name of an orange, editing the document with the information of a company (for example, the name of a school, a telephone and internet company) and sending it to the consumer.

That is, the information that will appear on the ticket will be true, including the amount to be paid. But the barcode will be registered in the name of an orange — who sometimes may not even know that his name is being used in a scam.

“When entering the code to pay, the name of the beneficiary will appear. And the money goes to his account. The fraudster takes it, and there is no way to undo this operation”, details Zanini.

How to reduce the risks in such cases?

Always check the beneficiary’s information. “If the person is attentive and sees that the beneficiary is not the institution to which the payment is due, he should not complete the operation”, warns the coordinator of the IMT.

When payment is made at a lottery shop or bank teller, it is necessary to ask the attendant to check the beneficiary’s data on the ticket for the consumer. “Financial institutions also need to instruct their employees to always do this data conference with consumers”, says Angelo Zanini.

In addition to modifying document components, criminals often use specific malware (malicious programs) to corrupt the original document.

“This type of scam uses a lot of social engineering techniques, which are forms of psychological manipulation that cause people to be deceived and break security procedures”, adds Mariana Canto, a specialist in digital law at the Institute for Research in Law and Technology. of Recife (IP.Rec).

Criminals’ Preferred Victim Profiles

The victim’s profile is closely linked to the type of product/service searched for, as well as the preferred platform used.

“For the ‘perfect crime’, the agent thinks about all the steps that the user is used to go through for that type of request – whether it’s the purchase of a product until the issuance of the ticket -, or that appear to be legitimate and show confidence to the consumer”, explains Danielle Serafino, partner at Opice Blum, Bruno e Vainzof Advogados Associados.

People with little experience or contact with technology tend to be the most vulnerable targets.

More protection tips

Always be wary of tickets sent via email, messaging apps or social networks; When scanning a slip, check that the name of the beneficiary is the same as the institution to which the amount is being paid; Check the first three digits of the ticket to verify that they are the code of the bank to which the payment is being made. For example, if your boleto is to be paid to Itaú, whose code is 341, and starts with 237 (which is from Banco Bradesco), this boleto is fake. The bank codes can be found on the Febraban website; Choose to download the document directly from the institution’s website. Avoid using the ones that arrive by email. When accessing the site, however, check to confirm that the email address is the official one, that it is encrypted. Just check in the address bar if the website URL starts with HTTPS before WWW and is followed by a padlock. This determines that the site has the SSL Digital Certification, indicating that it is secure; Keep your device’s antivirus updated, whether computer or mobile; Avoid making bank transactions or downloading tickets on public wi-fi; Prefer to use the barcode reader instead of typing the numbers, as in many scams the barcode is tampered with. If a barcode doesn’t work, be suspicious; Check that the boleto data and the beneficiary information are the same as they appear when scanning the barcode;

What to do if you are a victim of the scam?

In cases where the fake boleto scam was consummated, the victim can follow the following steps:

If you don’t have it, immediately save copies of the bill in question and proof of payment (either from an ATM, internet or cell phone); Preserve the conversation of the email or applications through which the ticket was sent; Immediately notify your bank and the bank to which the payment was made of the fraudulent transaction; Also report the fraud to the company that had the counterfeit ticket, pointing out by which means it was approached; Make a report for fraud, taking all the necessary documents (CPF, RG) and proof of payment along with a copy of the fake ticket;

If the bank or company refuses to return the money, it is possible to file a complaint with the Procon of your state or through www.consumidor.gov.br, from the Ministry of Justice;

Judicial process is possible

If you are unable to return the amount to the bank or company, you can seek legal action. Compensation will depend on the decision of the court. “It is important to remember that companies are also victims of this type of crime and do not have the means to control a communication established between criminal and client, through private applications”, he explains. serafin.

Who can be held responsible?

In cases where an online boleto is not issued through the bank system, the bank cannot be held responsible for the fraud, as it did not take place within the institution’s control environment. In these situations, the store that issued it could be held responsible, for example.

However, when a purchase is made in a store where the fake ticket was issued by a bank, he must answer for the damages caused, explains the lawyer.

Therefore, companies should always periodically alert their customers and employees to the possibility of scams. Many banks, for example, inform their customers that they do not send slips or do not correspond by email, only by phone.